Attackers Use Fake Friends to Blend into Facebook

Barracuda Labs Unveils New Research Study Analyzing Facebook Profiles

View the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.

Campbell, Calif. (February 2, 2012) – Barracuda Networks, a leading provider of security, networking and data protection solutions, today released findings from Barracuda Labs’ most recent study, Facebook: Fake Profiles vs. Real Users. The study analyzes a random sampling of 2,884 active Facebook accounts to identify key differences between average real user accounts and fake accounts created by attackers and spammers. The results of the study are being presented today at the 2012 Kaspersky Threatpost Security Analyst Summit in Cancun, Mexico.

Facebook, which filed for IPO this week, has become an important part of personal and business communication. The company consistently fights to keep attackers out of its network, most recently announcing its lawsuit against a marketing firm accused of “spreading spam through misleading and deceptive tactics”. The Barracuda Labs study provides yet another example of this “arms race” as an increasing number of attackers move to social networks to carry out their wares.

Highlighted findings from the Barracuda Labs study include:
•    Almost 60 percent of fake accounts claim to be bisexual, 10 times more than real users
•    Fake accounts have six times more friends than real users, 726 versus 130
•    Fake accounts use photo tags over 100 times more than real users, 136 tags per four photos versus one tag per four photos
•    Fake accounts almost always (97 percent) claim to be female, as opposed to 40 percent for real users

“Likes, News Feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “These fake profiles and apps give attackers a long-lived path to continuously present malicious links to innocent users.

“Also, researchers have shown how friending malicious accounts can lead to account takeover using Facebook’s trusted friend account recovery,” Judge continued. “We have analyzed thousands of fake accounts to determine features and patterns that distinguish them from real users, and created a feature-based heuristic engine to distinguish real users from fake profiles.”

The study analyzes data collected from Barracuda Profile Protector, a free tool that analyzes and blocks malicious activity on Facebook and Twitter, along with public data collected from streams and network crawling to demonstrate how users typically operate. The study illustrates how attacks on Facebook are structured to exploit the “friendship” concept and trust of widely-used applications. A variety of machine learning techniques are used to analyze shared URLs, profile images, profile information, and connections with other users to reveal associations, weak and strong, between malicious users.

Resources:
•    Download the Infographic: Facebook: Fake Profiles vs. Real Users at http://www.barracudalabs.com/fbinfographic/.
•    View the Barracuda Labs security research portal at http://barracudalabs.com.
•    Install Profile Protector at http://ProfileProtector.com.
•    Follow Barracuda Labs on Twitter at @barracudalabs

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

###

Amnesty International’s UK website has been compromised and is serving drive-by downloads. Historical data indicates the website AIUK was compromised on or before Friday, December 16.

Details:

Visiting hxxp://www[.]amnesty[.]org[.]uk loads hxxp://3max[.]com[.]br/cgi-bin/ai/ai.html via an iframe. 3max.com.br, which itself is a legitimate but compromised Brazilian automotive website, loads malicious Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system.

Details of Vulnerability Targeted by the Exploit
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
VirusTotal Detections for Exploit
http://www.virustotal.com/file-scan/report.html?id=1cc214cee10f02d37359c0e3d04fd57899333c4b1eaa81489c74e5c2fa17c3a8-1324068153
VirusTotal Detections for Exploit Payload
http://www.virustotal.com/file-scan/report.html?id=0e53832e1c36d34a3d05c05f73ebab22a74ade95c5f3b7d9f74fad4f56d10023-1324067892

The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.

Amnesty International UK has been notified about the compromise.

Here’s something we hear regularly at Barracuda Labs…

“My mom called me and said that someone posted something bad on her facebook.  How did they do that? What should I tell her?”

Our two-part answer is simple.  First, mom probably clicked on something and unwittingly gave it permission to post to her wall.  Second, there is always a possibility that mom had her password stolen.   She should change her Facebook password at once, as well as change the password on any service where she might have used that same password.

Facebook passwords do get stolen.  Below is one example of how that happens.

It starts with a message like this one that spreads from one wall to another.

Clicking on the link in the message opens up what looks like a Facebook login page.

(click to open full-size image)

Facebook will pop up a login page in certain situations to make certain that you are properly authenticated.   In this case the login page is entirely fake and is not part of Facebook at all.

Suppose you were in a hurry and didn’t take time to look at the URL of the page.   If you fill in your information and press the Login button, here’s what happens:

(click for full-size image)

As you can see in the image, your exact username and password are sent off to the Russian domain.   Once this is done, the browser is sent to a Facebook themed ‘survey’ site.

(click for full-size image)

These ‘survey’ sites offer some gift in exchange for participating in an endless cycle of marketing schemes, many of which ask for personal information and none of which ever deliver the the promised gift.

The remaining question is why criminals steal Facebook passwords

and there are three good answers.

1. Personal information on your Facebook account can be used to piece together full-fledged identity theft.

2. A stolen Facebook account is the perfect vehicle for carrying out the Stranded Traveler scam.

3.  Survey scammers such as the ones shown here have to start their viral campaigns somewhere, and a stolen account, with its hundreds of trusting friends, is the perfect place to start.

With the new Facebook Timeline rolling out this week, users should be particularly careful with the personal information they make available on their pages.  As always, Barracuda Networks recommends that you be cautious with what you click on and change your password regularly as a matter of course.

The question sounds crazy, especially for someone who’s spent a fair amount of the last year working on making spam and other malicious message detection on social networks better.  But we do a disservice to tools geared for protection when we don’t think long term about the consequences of them.  Does better spam detection on say twitter for example reduce the total amount of spam that users see, or does it just change the signal to noise ratio?

Websites who’s only content is related to spam didn’t get many hits.  This led spammers to move to Search Engine Optimization techniques, which have had a good run are still fairly effective, but more often than not spam sites are full of legitimate content harvested from other sites.

I suspect, and have seen several examples, that the same trend is taking place in social media.  We build systems that force spammers to put more “real” content into the stream, so that they don’t immediately out themselves. These fake accounts contain plenty of retweets of popular stories, and shared links on facebook with a bit of “hey, what a great deal on shoes” or “click here to see my naked” thrown in here and there.

Times are changing here too, sharing too many popular things also indicates than an account is a spammer, or at the very least a much less valuable node in the network.  So the next step is wholesale copying of real peoples profiles, complete with pictures of their cat, a bizzaro you with everything from your facebook account duplicated on another network, such as tumblr or google+, with an occasional spam or malicious link thrown in.  The kind of place where friends will eagerly add you, because everyone needs to be connected to every one of their friends through every medium possible of course, and not think twice about clicking on the malicious link that bizzaro you just shared out.

Besides being quite a blow to the privacy of the accounts being copied, this also reduces the trust that anyone can put into a user, which may not necessarily be a bad thing from a security point of view, are we making a problem that’s cosmically easy to spot for end users, such as the endless number of Nigerian prince scams, morph into something that is much more difficult for the end user to distinguish from real content?  Are we moving towards an advertorial world where the signal and the noise are nearly impossible to separate?

When it comes to advanced vulnerability discovery and exploitation techniques I am all for raising the level of discourse and seeing talented researchers raise the bar for attack and defense alike, but with something like this I’m not so sure.  Maybe it’s best to keep the bar low with regards to detection/blocking on social media and focus on securing APIs and the data they access, understanding that its better for those with less benevolent intent to pull out a few weak individuals from the herd than to give them incentive to find methods to take the whole.

The Facebook data team released some interesting data a few days ago focusing on the connectedness of their social graph, taking six degrees of Kevin Bacon and looking at how many connections away from each other any two people on the network are. From their research it seems like more than 90% of people on the network are seperated by only four degrees, meaning that any person A has a friend that knows a friend of Person B.

Interesting in and of itself this shows how social networking is used to connect to people with whom you have very little in common, perhaps enjoying similar music, enjoying the same food, or like the same apps/games on Facebook.  Something like mini ad-hoc Farmville Fan Clubs.  And that is neat, the more connected we are to one another then maybe the more we’ll understand each other.

That said, this amount of connectedness has a price in the realm of trust, especially with regards to anomaly detection and behavioral classifying. The network doesn’t distinguish the levels of trust/friendship that we have in the real world.  This is likely a neccessary level of abstraction, and we don’t have a leaderboard of friends trust levels, but you have an internal model that allows you to weigh “truths” differently based on whether it came from a long time friend versus someone you met because you attended a one day class together. Software can’t know these levels, at least not without an unreasonable level of training from the user, so for the purposes of behavioral classification it has to use more derived variables, like connectedness, on the social graph.  As this collapses these variables become less valuable, and may introduce false levels of trust within your real circle of friends.  We’ve seen this become increasingly popular with spammers working through fake accounts.  Usually the steps go something like this:

1. An account is created with a profile listing that they went to “Generic State U”
2. A few friend requests are sent to others within the “Generic State U” ad-hoc group and with a relatively high level of certainty a few will accept.
3. The spammer then has a foothold into that persons network, and each “friend” request they send out has more legitimacy
4. Your real friends are wishing these fake accounts “happy birthday” and commenting on their latest picture uploads, and occasionally having malware spreading links dropped into their feed.

This level of trust via degree connectedness leads to a sort of herd vulnerability. Each malicious account that gains a foothold on the network, means all users of the network are much more vulnerable. The extra few seconds that you take to verify a friend connection, even if you aren’t worried about privacy issues or spam yourself, helps protect less savy users and keeps some of the easiest computations for behavioral analysis effective and the network as a whole a bit less dangerous for the weaker members.

The Barracuda Labs spam traps recently received a burst of phishing emails targeting Bank of America customers. These particularly well-crafted messages underscore two important rules when dealing with spam.

Rule # 1:  Never click on a link in an email, no matter how authentic it might appear.

Rule # 2:  If a dialog asks you if you want to RUN something, don’t.

Many people think they can effectively spot spam by looking for the tell-tale clues such as poor grammar or misspellings. Modern spam campaigns render this approach ineffective.

Take a look at this very convincing email…

(click for full-size image)

There is nothing in this email that initially seems suspicious – except that the email offers a link to an “online statement”, which is actually a malware executable.

This involves rule number one – never click on a link, even if it might appear to be legitimate, indeed even if it is legitimate.  Such links are so frequently malicious that trying to determine which are and which are not is simply too risky.  It is much safer to directly visit the website of the institution within your web browser.

In the most simple cases, clicking on a malicious link downloads the malware executable and attempts to run it.  Before running it, Windows will prompt you and ask you if you really want to run the file, like so…

(click for full size image)

This triggers rule number two – never select Run when this dialog is presented.  No reputable, unsolicited, email will contain, or link, to something that needs to be run on your local computer; even if the email is from a trusted or known organization.

What can happen if you ignore these two rules?

In this case, you would have downloaded and executed a bank password stealer.   One of the first things this Trojan horse does is update itself with a list of banking sites that it should monitor for transmitted usernames and passwords.

(click for full size image)

Once this step is complete the Trojan checks-in with a command and control server in Russia, updating it with any banking credentials it finds.

(click for full size image)

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

FOR IMMEDIATE RELEASE

Content Security Leader Challenges World with “Clicks for Meals” to Fight Hunger and Provide 10,000 Meals this Holiday Season

Campbell, Calif. (November 30, 2011) – In an effort to combat world hunger, Barracuda Networks is challenging the world to help provide 10,000 meals for hungry children this holiday season. From November 30 until December 31, Barracuda Networks’ new one-for-one campaign−outlined at www.barracuda.com/clicksformeals−offers three free, simple ways everyone can help donate meals to starving children around the world.

Barracuda Networks will provide one meal for each of the following:

• Install Profile Protector for Facebook and Twitter. Profile Protector, available at www.profileprotector.com, is a free tool that analyzes and blocks malicious activity on Facebook and Twitter.
• Follow @barracudalabs on Twitter. Barracuda Labs is the threat research team who created Profile Protector and reports at www.barracudalabs.com.
• “Like” Barracuda Networks on Facebook.

“We spend a lot of time analyzing how attackers use social networks for bad−stealing identities, creating fake profiles, spreading malware and so forth,” said Dr. Paul Judge, chief research officer of Barracuda Networks. “We want to use the social networks to do some good. What better way to do that than to use the power and ease of Facebook and Twitter to raise awareness and money to fight hunger.”

Barracuda Networks will work with the United Nations World Food Programme to fulfill the meal donation as they continue to fight hunger worldwide. Additional information–including a one-minute video–about the campaign is available at www.barracuda.com/clicksformeals.

“Attackers have proven time and again the enormous opportunity social networks create for malicious activity online,” continued Judge. “This initiative is a small token and acknowledgement of our continued fight to keep social networks safe and make an impact on thousands of children’s lives around the world.”

About Barracuda Profile Protector
Barracuda Profile Protector is a free service that protects social networking users against malicious threats on Facebook and Twitter. The application analyzes user-generated content posted to profiles and is able to block or remove malicious or suspicious content. This includes malicious URLs, embedded photos and/or videos on Facebook and Twitter pages and news feeds. Users can install Profile Protector at www.profileprotector.com.

About Barracuda Labs
Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. The team evaluates the threat ecosystem and creates security intelligence to defend Barracuda Networks customers. Barracuda Labs’ threat research areas, which include email, Web, network and cloud security and technology, are designed to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime. For more information, please visit www.barracudalabs.com.

About Barracuda Networks Inc.
Barracuda Networks combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content and network security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International Headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.

Facebook claims that only 0.5% of users experience spam on any given day. That is still 4 million people out of the 400 million users that log in on any given day. We suspect that measurement only counts spam that Facebook catches which is clearly not 100% of the spam. While working on Profile Protector and other web security intelligence, we regularly come across examples of spam and attacks that repeatedly use simliar approaches that are detectable. We compiled this list of seven annoying attacks that Facebook misses.

1) Fake Product Pages:

Knock off luxury goods have always been popular scams.  You might think you are buying your mother a nice new purse for a great price.  If you actually get the product, which is a bit of a long shot, you are likely to find that the quality you expected from the brand is lacking at best.  Facebook is rife with pages promoting these goods. Somehow these pages remain long-lived even after user complaints.  Once they finally are shut down there are already 8 duplicate pages running the same scam. Clearly there are some brands that just are not sitting on hundreds of photo albums on Facebook as their advertising platform. For example, Christian Louboutin, Louis Vuitton, Air Jordan and Beats By Dre.

2) Manipulated Accounts Recommendations:

On social networks those with less good motives have figured out how to game the recommendation system and use it to their advantage. This is very similar to how attackers have used search engine optimization to promote their malware. Friends are recommended in a variety of ways, but a simply exploited example is through shared apps.  Spammer accounts sign up for the same popular apps that real users do and before too long they are showing up in your list of recommended friends, which snowballs nicely into giving them a foothold into the recommended list for each of your friends.

3) Affiliate Spam:

Affiliate spam is a bigger and bigger part of the typical users incoming stream. Usually relying on the images of established and trusted brands these scams tend to be very successful and take little work for those who run them.  The hook is usually a free gift card or in some cases something as extravagant as a new iPad. They encourage or require the user to share it out to all their friends and say something like “I love olive garden” before being redirected to a never-ending series of offers in the form of premium text messaging, video rental and reoccurring subscriptions of all kinds that the user is required to sign up for to get the supposed “free” gift card.  A run featuring a Starbucks gift card was successful enough that Starbucks corporate had to comment letting users know it was not legitimate.

4) Photo Tagging For Spam:

The Facebook infographic referenced above mentions “Photo DNA” but it is likely that this is little more than a database of hashes related to explicit and exploitative images.  Photo tagging for spamming is one of the most popular methods of spamming through the network but it doesn’t seem to be getting much attention.  With each image uploaded a spammer can tag as many 50 other accounts in a photo, and have as many as 200 photos in an album.  With everyone in Facebook having a maximum of 5,000 friends each photo can reach a quarter million people.  This leads to a fairly nice multiplier for bytes uploaded vs users reached, especially on a network that people spend as much time on as Facebook.  Some basic image analysis will tell you if there are really 40 people in the picture or if it just a pair of Hello Kitty heels.

5) Fake Apps

Fake apps, malicious apps, misleading apps, whatever you want to call it, Facebook is overflowing with them.  New examples show up daily, often focusing on giving users features that they wish Facebook would provide.  After all, don’t we all want to know if that old flame still looks you up every few days. Or don’t we all wait for the launch of a ‘dislike’ button.  It is a big network and these are going to exist from time to time anywhere, but it is becoming more like the shareware sites of the late 90s where most the programs were of low quality and a relatively high percentage of them posed a risk.  Usually they are in the information gathering and spamming business, but we have found examples that link to malicious binaries.

6) Stolen Pictures

There is not really a set of sextuplets each with the same bikini picture as their personal profile picture. Those are fake accounts. The photo album that as the same two images-one of the front view of a bikini and the other with the back view of a different bikini-repeated 15 times each is not a real user. Certainly there are some images that will be common to multiple people such as a team logo or newly released album cover. However the fake accounts typically use images of a salacious nature.  Sex sells, and these profiles do very well at gathering followers around a fake identity, only to occasionally slip an advertisement into the stream.  Of course there is always the possibility that we’ve stumbled upon a set of identical sextuplets that would be very happy to reconnect…

7) Anomalous Behavior

Finally, Facebook and social networks in general should focus on some form of anomaly detection.  We’ve all seen examples of that friend who you never really talk to, and probably weren’t that interested in “friending” anyway, posting on your wall or messaging your account encouraging you get a free iPad or a trip on Southwest airlines, etc.  Similar problems have been appropriately mitigated elsewhere in messaging but social networks have a long way to go.  In many ways we’re seeing the same problems that the security community has been dealing with for more than a decade. Instead of SMTP and a distributed network, more and more messaging is pushed over HTTP and closed networks that give the receiver little that they can do in the way of securing themselves. Looking for behavior that is an outlier to the normal pattern is a well understood approach in other areas of network and messaging security. If someone that never uses chat is suddenly chatting with dozens of people and forwarding the same link, then there is a high likelihood of suspicious activity.

When you are engaged in direct marketing, your first order of business is to get the attention of your customer.  This is just as true for Nigerian 419 spammers as it is for everyone else, and widespread news coverage of the recent death of Mommar Gaddafi is a gift for the Lads from Lagos.

The spam monitors at Barracuda Labs have been detecting a steady stream of these spams, where the family of a dead African prince has been hastily replaced by the son of the dead Libyan dictator.

(Click for larger image)

Of course, by now, we hope that all email users recognize this sort of spam as an attempt to perpetrate Advance Fee Fraud. The spammers pump any respondent for personal financial information and then string them along with promises of millions of dollars once a few paltry ‘fees’ are paid in advance – thus the name, Advance Fee Fraud.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails.

For Immediate Release

NINE OUT OF 10 PEOPLE ATTACKED AND ONE OUT OF FIVE PEOPLE DAMAGED BY PRIVACY LAPSE ON SOCIAL NETWORKS

Barracuda Labs Releases 2011 Social Networking Security & Privacy Study

• View the Infographic – http://www.barracudalabs.com/SNS

• View the Report – http://www.barracudalabs.com/SNSreport

Campbell, Calif. (Oct. 12, 2011) – Barracuda Labs today released its 2011 Social Networking Security & Privacy Study. The complete study and infographic can be seen at www.barracudalabs.com. Barracuda Labs is the research arm of Barracuda Networks Inc., the leading provider of security, application delivery and data protection solutions to businesses.

“Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially,” said Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks and users are living in fear.”

The study focuses on social networking usage, security and privacy, and is based on survey results from hundreds of users representing over 20 countries. The study was conducted over a two-week span between September and October 2011. Overall, users value security and privacy almost equally to popularity and ease of use. Major highlights from the study are included below.

Social Networking Usage

• LinkedIn is the most accepted social network by businesses with only 20 percent of companies blocking or limiting its usage, as compared to 31 percent of companies that block or limit Facebook.

Social Networking Security

• Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Social Networking Privacy

• One in five people has been negatively affected by information that was exposed on a social network.

2011 Social Networking Security & Privacy Study – Resources:

• Infographic – http://www.barracudalabs.com/SNS

• Report – http://www.barracudalabs.com/SNSreport

About Barracuda Labs

Barracuda Labs is a global multi-disciplinary research and threat analysis team that fulfills a critical role in developing innovative technologies across Barracuda Networks’ business areas. Barracuda Labs’ threat research areas include email, Web, network and cloud security and technology. Barracuda Labs aims to improve the world’s security posture by promoting security awareness and education, developing and innovating new defense technologies, and working with government and law enforcement agencies to reduce cybersecurity crime.

About Barracuda Networks

Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email and Web threats, as well as products that improve application delivery and network access, message archiving, backup and data protection. Coca-Cola, FedEx, Harvard University, IBM, L’Oreal, and Europcar are among the more than 150,000 organizations protecting their IT infrastructures with Barracuda Networks’ range of affordable, easy-to-deploy and manage solutions. Barracuda Networks is privately held with its International headquarters in Campbell, Calif. For more information, please visit www.barracudanetworks.com.